Security News > 2023 > August > Rust devs push back as Serde project ships precompiled binaries
Serde, a popular Rustserialization project, has decided to ship its serde derive macro as a precompiled binary.
According to the Rust package registry, crates.io, serde has been downloaded over 196 million times over its lifetime, whereas the serde derive macro has scored more than 171 million downloads, attesting to the project's widespread circulation.
About three weeks ago, a Rust programmer using the Serde project in their application noticed something odd.
"I'm working on packaging serde for Fedora Linux, and I noticed that recent versions of serde derive ship a precompiled binary now," wrote Fabio Valentini, a Fedora Packaging Committee member.
Valentini further inquired to the project maintainers, how were these new binaries "Actually produced," and if it would be possible for him to recreate the binaries, as opposed to consuming precompiled versions.
Some Rust developers request that precompiled binaries be kept optional and separate from the original "Serde derive" crate, while others have likened the move to the controversial code change to the Moq.NET project that sparked backlash.